<br><br><div class="gmail_quote">2011/2/25 Charles Lepple <span dir="ltr"><<a href="mailto:clepple@gmail.com">clepple@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Thu, Feb 24, 2011 at 10:36 AM, Arnaud Quette <<a href="mailto:aquette.dev@gmail.com">aquette.dev@gmail.com</a>> wrote:<br>
> Hi Charles,<br>
><br>
> 2011/2/18 Charles Lepple <<a href="mailto:clepple@gmail.com">clepple@gmail.com</a>><br>
>><br>
>> On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote:<br>
>><br>
>> Hi John,<br>
>><br>
>> 2011/1/17 John Bayly<br>
>>><br>
>>> On 14/01/2011 20:40, Arnaud Quette wrote:<br>
>>>><br>
>>>> Author: aquette<br>
>>>> Date: Fri Jan 14 20:40:06 2011<br>
>>>> New Revision: 2832<br>
>>>> URL: <a href="http://trac.networkupstools.org/projects/nut/changeset/2832" target="_blank">http://trac.networkupstools.org/projects/nut/changeset/2832</a><br>
>>>><br>
>>>><br>
>>>> +link:<a href="http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig[signature]" target="_blank">http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig[signature]</a><br>
>>><br>
>>> May I suggest that you also provide checksums for the tarball? I'm<br>
>>> updating the FreeBSD port, and wanted to verify the SHA256 sum. As it's been<br>
>>> downloaded from the NUT website, I know the odds of the source being tainted<br>
>>> are astronomical, but if it's for a distribution, I thought I'd be extra<br>
>>> cautious.<br>
>>> As it is I've verified the GPG sig (never used it before) and used the<br>
>>> computed SHA sum.<br>
>><br>
>> I've added a SHA256 hash, and referenced it in the download section:<br>
>> <a href="http://www.networkupstools.org/download.html" target="_blank">http://www.networkupstools.org/download.html</a><br>
>><br>
>> I've not yet updated the documentation, but it's simple as downloading the<br>
>> nut archive and the matching .sha256 file. Then using:<br>
>> $ sha256sum -c nut-2.6.0.tar.gz.sha256<br>
>><br>
>> Arnaud,<br>
>> I go through a similar set of steps for Fink packages. If there is a GPG<br>
>> signature, I'll verify that, since it provides a little more chain-of-trust<br>
>> information. However, if I am just downloading a single file, it is<br>
>> typically easier to just verify the hash by inspection - that is, with the<br>
>> SHA256 on the web page rather than a separate file download.<br>
>> Also, there is a bit more of an audit trail if the hash is in our web<br>
>> pages in SVN.<br>
><br>
> I may be too far away, in other consideration...<br>
> but, are you saying that it would be better to embed the SHA256 hash<br>
> directly on the web page, or simply that searching for this file may be too<br>
> hard for the user?<br>
><br>
> for the former, the web page always need a modification for new publication<br>
> (svn commit then push on www.n.o). So changing the stable release name, and<br>
> at the same time adding the hash would not be a problem.<br>
<br>
</div></div>I like this because there is a history of the hashes in SVN. The<br>
.sha256 file is not version controlled.<br></blockquote><div><br>nor the root file it's hashing...<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">
> for the latter, the file is named <release-file>.sha256, so for example<br>
> nut-2.6.0.tar.gz.sha256, which allows checking automation.<br>
<br>
</div>I guess I'm not sure I see the advantage of putting it in a separate file.<br></blockquote></div><br clear="all">I see no problem.<br>can you please do the mod?<br><br>cheers,<br>Arnaud<br><br>